Product Idea

Expand all | Collapse all

Jama removes information when editing HTML code in the "Source" mode

  • 1.  Jama removes information when editing HTML code in the "Source" mode

    Posted 03-25-2015 04:12
    Jama removes HTML tags and style attributes it doesn't like.
    When creating with the following style to arrange the table's caption:

    <caption style="caption-side:bottom; text-align:left; font-style:italic">

    this style is overwritten by a simple

    <caption style="text-align:left">
    Even worse: The <abbr> tag is completely removed although its title tag may contain vital information to understand an abbreviation correctly in its context.


  • 2.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 03-25-2015 13:20
    Thanks for providing so much context regarding this idea, Eugen.


  • 3.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-04-2015 03:52

    Hi Guys,

    thank you for the background information.

    You might want to consider using a blacklist approach rather than a whitelist approach next time when this affects existing values on customer systems (they are LOST when editing an issue). And even if that's the case, you might want to strip them when rendering the result regardless of when the issue was entered.

    I really don't see a security issue with style attributes, tags for abbr, acronym, definition lists (dl, dd, dt) etc.

    Florian



  • 4.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-04-2015 12:37
    Florian, thanks for the input. Can you clarify what systems you are using that contain these HTML tags that then get stripped from Jama? Is it JIRA?


  • 5.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-04-2015 12:51
    I'm talking about items that were created before the Jama update and lose the tags now when they're edited. So it's not an import issue but a lifecycle issue.


  • 6.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-04-2015 13:14
    Oh, ok—did this issue became a problem for you when we upgraded the rich text editor (CK Editor) in Jama 2014.2?


  • 7.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-05-2015 02:31
    Most probably. We updated from 2014.1 directly to 2015.2.


  • 8.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-05-2015 12:41
    Ah, OK. Thanks for helping me get that clarified. We found a bug after we upgraded the RTE; the newer version strips out <p> tags (SOS-BUG-572), so when you edit an older item it loses its spacing. What other sorts of HTML have you seen it strip?


  • 9.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-07-2015 12:25
    The <abbr> tags are completely removed, <dl>, <dd>, and <dt> are replaced by I think just plain paragraphs which makes editing a pain (replacing by <ul> would have been nicer), and the style property of the <caption> tag is updated as described by Eugen above. These were just the obvious ones I stumbled across but I'm not sure how much more tags are replaced or stripped.


  • 10.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-07-2015 14:32
    OK, I see. I'm really sorry about the inconvenience it caused you and your colleagues—we should have communicated that the behavior with the rich text editor was changing when we upgraded the a newer version of CKEditor in Jama. I think your points about switching to a blacklist for HTML make sense. In terms of the whitelist, have you or Eugen been able to make this work for you?


  • 11.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-08-2015 03:03

    Thank you for considering this in the future.

    With regard to your proposed change: It was not yet implemented as we have to test such changes first and announce their introduction on the production system before they are allowed to be applied.

    So I as a user still have to wait. As a workaround I just keep the items containing definition lists as is for now. The rest is something I can (and will have to) change manually again.



  • 12.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-08-2015 03:10
    We used html-coded check-boxes in specification templates for our product management. We had e.g. one requirement for vibration resistance listing a lot of common standards. The Product Manager was able to activate the check boxes to choose the standards they need for their product.

    The check-boxes are also removed...


  • 13.  Re: Jama removes information when editing HTML code in the "Source" mode

    Posted 05-13-2015 20:29
    Hello, all! At this point I can confirm that the rich text editor (CK Editor) we are using in Jama scrubs HTML input as a security measure. It does this two ways:
    1. By cleaning content, which looks to users as a simplification and remove of some code. It does this when you switch between WYSIWYG and Source editing.
    2. On save of an item, the content goes through a whitelist to prevent XSS attacks.
    What is unclear to me is at what point changes were made to Jama that is causing you to notice this—I have been unable to track down what particular changes might have occurred after 4.2.7.

    I have removed some comments from this thread because we are no longer recommending users update the security cleaner file to allow additional HTML to be enabled in Jama's rich text editor. This method has not been fully tested, so we are not clear on the ramifications of allowing different code, particularly in how it interacts with the Exporting features of Jama.

    However, there was some valuable input made by you all that I'd like to keep here for when we consider this feature.
    Sebastian: We used html-coded check-boxes in specification templates for our
    product management. We had e.g. one requirement for vibration resistance
    listing a lot of common standards. The Product Manager was able to
    activate the check boxes to choose the standards they need for their
    product.The check-boxes are also removed...
    Florian: The <abbr> tags are completely removed, <dl>, <dd>,
    and <dt> are replaced by I think just plain paragraphs which makes
    editing a pain (replacing by <ul> would have been nicer), and the
    style property of the <caption> tag is updated as described by
    Eugen above. These were just the obvious ones I stumbled across but I'm
    not sure how much more tags are replaced or stripped.